Hope this is the time to discuss the PHP Hack Challenge I and at the moment we have discussed this in the class. For others benefit who read my blog I think of noting the discussion.

If you find any other way of smart thinking please let me know, a simple comment will do it.

Code

<?php $_F=__FILE__;$_X='Pz4JCTxkNHYgY2wxc3M9ImNsNTFyIj48L2Q0dj4NCgk8L2Q0dj48IS0tIC9jMm50MTRuNXIgLS0+DQoNCgk8ZDR2IDRkPSJmMjJ0NXIiPg0KDQo8c3AxbiA0ZD0iYmwyZy1uMW01Ij48P3BocCBibDJnNG5mMignbjFtNScpOz8+PC9zcDFuPiA8P3BocCBibDJnNG5mMignZDVzY3I0cHQ0Mm4nKTsgPz4gQzJweXI0Z2h0ICZjMnB5OyA8P3BocCA1Y2gyIGQxdDUoJ1knKTs/PiAtIDwxIGhyNWY9Imh0dHA6Ly90MnB3cHRoNW01cy5jMm0iIHQ0dGw1PSJXMnJkcHI1c3MgVGg1bTVzIiB0MXJnNXQ9Il9ibDFuayI+VzJyZHByNXNzIFRoNW01PC8xPiBkNXY1bDJwNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy53NWJoMnN0NG5nZjFuLmMybSIgdDR0bDU9Ilc1YiBIMnN0NG5nIEYxbiIgdDFyZzV0PSJfYmwxbmsiPlc1YiBIMnN0NG5nIEYxbjwvMT4NCgk8L2Q0dj48IS0tIC9mMjJ0NXIgLS0+DQo8L2Q0dj48IS0tIC93cjFwcDVyIC0tPg0KPC9kNHY+PCEtLSAvYjJkeS00biAtLT4NCjw/cGhwIHdwX2YyMnQ1cigpOyA/Pg0KPC9iMmR5Pg0KPC9odG1sPg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>

As the first step we should identified what are in the code snippet. We can use ; to separate lines. May be then we can see things clearly.

<?php
$_F=__FILE__;
$_X='Pz4JCTxkNHYgY2wxc3M9ImNsNTFyIj48L2Q0dj4NCgk8L2Q0dj48IS0tIC9jMm50MTRuNXIgLS0+DQoNCgk8ZDR2IDRkPSJmMjJ0NXIiPg0KDQo8c3AxbiA0ZD0iYmwyZy1uMW01Ij48P3BocCBibDJnNG5mMignbjFtNScpOz8+PC9zcDFuPiA8P3BocCBibDJnNG5mMignZDVzY3I0cHQ0Mm4nKTsgPz4gQzJweXI0Z2h0ICZjMnB5OyA8P3BocCA1Y2gyIGQxdDUoJ1knKTs/PiAtIDwxIGhyNWY9Imh0dHA6Ly90MnB3cHRoNW01cy5jMm0iIHQ0dGw1PSJXMnJkcHI1c3MgVGg1bTVzIiB0MXJnNXQ9Il9ibDFuayI+VzJyZHByNXNzIFRoNW01PC8xPiBkNXY1bDJwNWQgYnkgPDEgaHI1Zj0iaHR0cDovL3d3dy53NWJoMnN0NG5nZjFuLmMybSIgdDR0bDU9Ilc1YiBIMnN0NG5nIEYxbiIgdDFyZzV0PSJfYmwxbmsiPlc1YiBIMnN0NG5nIEYxbjwvMT4NCgk8L2Q0dj48IS0tIC9mMjJ0NXIgLS0+DQo8L2Q0dj48IS0tIC93cjFwcDVyIC0tPg0KPC9kNHY+PCEtLSAvYjJkeS00biAtLT4NCjw/cGhwIHdwX2YyMnQ1cigpOyA/Pg0KPC9iMmR5Pg0KPC9odG1sPg==';
eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));
?>

now you can see things more clear way2 variables and then eval() is used with base64_decode(). Therefore we can use base64_decode() and see what is in the eval()

if you run following snippt you can get the code encoded by base64.

<?PHP
$txt= base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==');
echo $txt;
?>

The output would be

$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);$_R=0;$_X=0;

again if we separate them using ; , following would be the result,

$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);
eval($_R);$_R=0;$_X=0;

Then if you check the original code you will see two variable $_F and $_X are also available.

$_X is base 64 encoded, will decode and see what it contains.

This is the output.

?>		<d4v cl1ss="cl51r"></d4v>
	</d4v><!-- /c2nt14n5r -->

	<d4v 4d="f22t5r">

<sp1n 4d="bl2g-n1m5"><?php bl2g4nf2('n1m5');?></sp1n> <?php bl2g4nf2('d5scr4pt42n'); ?> C2pyr4ght &c2py; <?php 5ch2 d1t5('Y');?> - <1 hr5f="http://t2pwpth5m5s.c2m" t4tl5="W2rdpr5ss Th5m5s" t1rg5t="_bl1nk">W2rdpr5ss Th5m5</1> d5v5l2p5d by <1 hr5f="http://www.w5bh2st4ngf1n.c2m" t4tl5="W5b H2st4ng F1n" t1rg5t="_bl1nk">W5b H2st4ng F1n</1>
	</d4v><!-- /f22t5r -->
</d4v><!-- /wr1pp5r -->
</d4v><!-- /b2dy-4n -->
<?php wp_f22t5r(); ?>
</b2dy>
</html>

Therefore the $_X contains a HTML code. The next thing is to deal with the strtr() function. The beauty of this function is it replace 1 with a, 2 with o, 3 with u like that.

$_X=strtr($_X,'123456aouie','aouie123456');

Therefore after running this function the $_X will be converted as below.

?>		<div></div>
	</div><!-- /container -->

	<div id="footer">

<span id="blog-name"><?php bloginfo('name');?></span> <?php bloginfo('description'); ?> Copyright &copy; <?php echo date('Y');?> - <a href="http://topwpthemes.com" title="Wordpress Themes" target="_blank">Wordpress Theme</a> developed by <a href="http://www.webhostingfan.com" title="Web Hosting Fan" target="_blank">Web Hosting Fan</a>
	</div><!-- /footer -->
</div><!-- /wrapper -->
</div><!-- /body-in -->
<?php wp_footer(); ?>
</body>
</html>

Above is the code that tried to hide using base64 encode and use eval to execute the code.

__FILE__ is called as Magic Constants and I have discussed them earlier in this blog.

However in this code snippt it is easy to breat it as you can see the base64_decode function if that function cant be seen then you are in a bit trouble. In such cases you have to examine the encoded text. Most of the time if you can see = or == at the end of the text, that can be encoded using base64. So it is better to try it first.

Apparently think what are the further actions that can be taken to increase the quality of the code.

Advertisements

Please add your valuable idea below, will make a discussion, thanks !

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s